Why are business email compromise attacks so effective?
Because people are Helpful.
Because people are Trusting
Because people are Obedient.
Phishing and Business Email Compromise attacks are acts of social engineering. They are attacks on humans and they prey upon human emotions. The most effective phishing emails exploit the target's emotions of Obedience, Fear, Kindness, or Curiosity. The most effective BEC emails target the employee's sense of obedience.
Employees want to be good workers. They want to excel at their jobs and win the praise of their supervisors. Imagine you are an accounts payable clerk or junior accountant and the CEO walks into your office and says Jump. Are you going to question how high or why?
One of the biggest fears most employees have is failing at their jobs, or at least look like their failing. No one wants to question the boss and risk appearing incompetent or untrusting. Even when employees think the email directing the high dollar wire transfer is suspicious many times the urge to carry out the task with diligence and obedience overcomes the suspicion.
This week, the Milford Daily News detailed a Business Email Compromise attack executed on the city of Franklin, Tennessee. The cities treasurer transacted a wire transfer that resulted in a $522,000 loss to the municipality, The city manager described it as a “sophisticated cyber fraud”. It was not. It was just a standard spear-phishing attack taking advantage of an organization with untrained employees and insufficient security controls.
Today is Black Friday, traditionally named because it was the day where retail sales altered merchant’s balance books from red to black. The Internet and the current Covid-19 crisis have effectively made this annual shopping festival nothing but symbolic. The true event will occur in three days with Cyber Monday. Most retailers, however, have already altered their business models and black Friday has become Cyber Black Friday blurring the lines between the two events.
I have previously written about RDDOS or Dedicated Denial of Service for Ransom. This is a double punch attack on Internet services that combines a traditional DDOS offensive with demand for payment to make it stop. What better time to launch such an attack than the days preceding the largest Internet sales event of the year?
I published a newsletter on Substack. Write.as has a simple newsletter option but I found it just that, simple. Substack offered more creativity with formatting and backend functionality. The focus of the publication will be cyber-financial investigations and threat intelligence.
I will still be publishing at this write.as location.
I'd be honored if you would take a few minutes to give it a look. And maybe subscribe.
There is no doubt that small and medium business owners are caught between the proverbial rock and a hard place when confronting a ransomware attack on their network. Unlike large businesses and expansive corporations, they are unlikely to have a dedicated security team. In fact, they are lucky to have a person there just to keep the Internet-connected and the printers online. A dedicated IT security person is an abstract luxury. And back-ups? John the Office Manager copied an excel spreadsheet of the client listing to a USB thumb drive a few months ago. It is on his desk. Or maybe his winter coat pocket.
It is completely understandable why any business leader chooses to pay the ransom payment. In most cases, they are out of options and desperate. Obviously, they wouldn’t pay thousands or hundreds of thousands of dollars if they had some alternative choice. But they don’t, so there they are.
In some cases, an insurance company is in the driver’s seat and they have analyzed the options down to an actuarial decimal point. The decision is calculated on a cost to benefit analysis based on dollars and cents not right or wrong, or what is best for the business or society.
Why is paying the ransom so bad? Why are law enforcement and security professionals so adamant that ransom demands never get satisfied if it’s a quick and easy fix that is in the best financial of the business?
There is a noticeable trend of people declaring themselves a “Cybersecurity Evangelist” A search of the term on LinkedIn finds over 38,000 people who claim security evangelism as part of their job title or description. However, a search of leading job boards finds only a scant listing of advertised positions. In fact, a search for “Cybersecurity Evangelist” jobs on LinkedIn reveals zero exact titles. The same search on Indeed returns only 84 available positions, and most are a hit for the Evangelist part rather than the Cybersecurity. Remarkably, upwards of 38,000 people somehow have obtained a title that does not seem to be a hirable position. What exactly is this role and what do those currently employed as it do? Even more importantly, what are the qualifications to be a Cybersecurity Evangelist? I set out to learn the answers to those questions since I might actually be an evangelist and just don't know it.
My main computer is a 6th generation Lenovo Thinkpad X1 Carbon running Windows 10 Pro. I also have a second-generation X1 Carbon laptop that has run a dozen or so different operating systems over the past two years. It is a perfect test machine that handles every flavor of Linux I have thrown at it like a champ. It never tires or glitches or craps out on an install process. New installation after new installation it just keeps booting. Virtual machines are great, but you cannot really (really) test out an operating system until it is on the metal.
Currently, it is running Pop!_OS, the Ubuntu derivative rolled by System76. It is really good. Like, really, really good. It has a polished look with clean lines and very crisp icons. Most importantly it works, well most of it, perfectly from first boot.
The version is Pop!_OS 20.10 using the Gnome 3.38.1 desktop environment. I had been using Ubuntu before this experiment with Pop! so the Gnome desktop was somewhat familiar. However, Pop! uses a very minimal version that allows for precise customization. For example, you must turn on the ability to maximize or minimize application windows. Out of the box, the window only displays an X that closes it altogether.
The FBI released a PSA through the Internet Crime Complaint Center (IC3) reminding the public that using open Wi-Fi networks, particularly at hotels, is risky. The Bureau reminds us that connecting our devices to open and unsecured wireless internet sources increase the risk of being victimized by those with malicious intent. The PSA specifically details the “Evil Twin Attack” where the bad actor creates a look-alike Wi-Fi network using their own equipment. In the absence of proper protection, they have full access to your data when you mistakenly connect to their network “0pen Hilton Wifi” rather than the legitimate hotel network “Open Hilton Wifi”. Notice the zero?
Guests accessing open Wi-Fi networks have no idea how the network is maintained or the health of the physical equipment. The results of an Internet search for “hacking a router” should give you a cold shiver. And most businesses have little financial incentive, nor the technical staff, to ensure that hardware devices are well maintained, updated, and patched.
I regularly speak to groups about cybercrime, or “Internet facilitated crime” for your industry elites that abhor the term cyber. I provide an example scenario where attackers utilize a dedicated denial of service (DDOS) attack to target small businesses. I classify it as a crime of extortion and explain how modern cyber-criminals use new technology to commit age-old crimes.
The scenario places a small independent florist at the mercy of a cyber attacker the week before St. Valentine's day. The floral shop's website is suddenly unreachable right at the most crucial time of the busiest week for a florist. A call to the website designer yields no results. Calls to website hosting provider add only more frustration from department transfers, language barriers, and offers for higher valued services that add more costs and “may” alleviate the problem.
After the site has been down for about 24 hours the first email arrives. An offer for help. From the devil himself, of course. The email tersely explains the website is under attack and it can stop for a one-time payment of 5 BTC. What is a BTC the panic shopkeeper thinks, and how the hell do I get some? The small business has little choice but to pay the ransom or lose even more by having the website offline during the busiest week of the year!
Mandiant (Fireeye) recently released its report “Deep Dive into Cyber Reality – Security Effectiveness Report 2020”. The report details the effectiveness of security controls systems Mandiant clients utilize within their environments. Mandiant claims to have executed “thousands of tests” that simulate real attacks.
The authors of the report make a very important point that protecting an organization's computer and information systems is not entirely an IT problem. It is a business problem. Even more, it is an entire organization problem. Every single stakeholder that has access to the system has some responsibility to secure it. This is particularly true of the business executives who need to be more involved in security decisions. If the board does not have a CISO, it should. And that person needs to be viewed as an equal partner in the C-suite.
Of all the information provided by the report, the following stood out the most: